EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level

tj2718 at aol.com tj2718 at aol.com
Fri Nov 4 18:28:03 CET 2016

> On Tue, Oct 25, 2016 at 08:15:11PM -0400, Travis via Freeradius-Users wrote:
> > > I was bitten by that too. Try changing it to:
> Personally (and what I do here) I would use the check-eap-tls virtual server
> so you can check the actual contents of the certificate with LDAP, rather than
> relying on the contents of the User-Name attribute. Which a clients could
> easily spoof, but they can't spoof the certificate subject.

Many thanks Matthew!  I didn't know there even was a check-eap-tls virtual
server that I could use.  Once I created a soft link and configured that I started getting
more of what I was expecting to see.

> For plain users, just call "ldap" in the inner tunnel as usual.
> Possibly wrapped around with a if EAP-Type == PEAP so it doesn't get called
> for hosts (check-eap-tls won't get called for PEAP as there is no client
> certificate, so you don't need that the other way around).
> But essentially - look at the LDAP lookups that FreeRADIUS is doing, and then
> go update the configuration so it does the right lookups with the data it has
> available.

I had to do some minor tweaks to my sites-enabled\default config with some
if statements:

        if (&User-Name == "host/%{TLS-Client-Cert-Common-Name}") {

        elsif (!(&Ldap-Group == "CN=WiFi,OU=RSD Groups,DC=rsdtc,DC=com")) {

but now all the tablets with certificates are working along with users in a LDAP-Group.

Thank you to everyone who responded with their insight and guidance.

Now on to my next post regarding iPhones with certificates doing EAP-TLS failing.


More information about the Freeradius-Users mailing list